|
|
| |
| The NAS-4220-B offers disk encryption through it's web interface. The key used for encrypting the disk(s) is stored on a unencrypted partition. Therefore one can extract the encryption key by removing the disk from the Raidsonic NAS-4220 and reading the value from the unencrypted partition. The key itself is stored in a file in plain (base64 encoded). Therefore the NAS-4220 crypt disk support can not be considered secure. |
| |
Credit:
The information has been provided by Collin Mulliner.
The original article can be found at: http://www.mulliner.org/security/advisories/raidsonic_nas4220_crypt_disk_key_leak_09Mar2008.txt
|
| |
The NAS-4220-B can hold two SATA disks. Disk are encrypted through a loop back device using AES128. The problem came to Collin's attention when he could access the NAS after reboot without suppling the hard disk key.
The key is stored in /system/.crypt, "/system" is a small configuration partition on the same disk that holds the encrypted partition. The system partition is created by the system software running on the NAS-4220. The configuration partition of the second hard disk is not mounted by default but also contains the .crypt file holding the key for the encrypted partition on the same disk.
Accessing the key (key value is the example Collin used):
$ cat /system/.crypt
MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
key in plain key in base64
12345678901234567890 MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=
Base64 decode:
#!/usr/bin/python
from base64 import *
print b64decode("MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=")
|
|
|
|
|
|
|
|
